The present invention relates to how enterprise networks can create (internally or with their external service provider partners) Virtual Private Networks (VPNs) for different groups of clients and/or host applications, referred to herein as Group VPNs.
Enterprise networks often require different types of functional and/or organizational groups of users. Within the enterprise network, those groups have different privacy requirements for their Internet Protocol (IP) communication between their client users and/or between their client users and their host applications.
Present Network Data Protection Solutions
Most of the time, network traffic is sent “in the clear”, unsecured without encryption or authentication of the sender and receiver. In order to allow private traffic to be sent in a secure manner, a number of security schemes have been proposed and are in use today. Some are application dependent, such as a specific program performing password authentication. Others, such as Security Socket Layer/Transport Layer Security (SSL/TLS), are designed to provide comprehensive security to specific classes of traffic such as Web traffic.
IPSec, as defined in RFC 2401, can work in tunnel mode by encrypting a data packet (if encryption is required since IPSec can be used for authentication only), performing a secure hash (or authentication) on the packet, then wrapping the resulting packet in a new IP packet with a new header indicating it has been secured using IPSec.
The two endpoints where data protection through encryption is enforced are called Policy Enforcement Points (PEPs).
The two PEPs must establish the IPSec security services through a Security Association (SA) and in particular, the encryption keys. This is can be accomplished using the Internet Key Exchange (IKE) protocol, as defined in RFC 2409 (or RFC 4206 for its version 2), that negotiates keys in two phases: the first phase is used to secure a communication channel between the two PEPs; the second phase is used to create two unidirectional IPSec SAs. Traffic can now be encrypted based on the IPSec policy that defines the type of traffic to be protected between two identified IP addresses or subnets.
Limitations When Securing Networks with IPSec
While IPSec secures IP traffic at the network layer, key exchange mechanisms create a number of practical limitations when IPSec is deployed in networks.
Manual keys are not generally used because of the configuration challenges and re-key requirements to implement them in large networks. For those reasons, IKE is normally used for key exchange. However, IKE is based on a secure connection being established between two PEPs and a resulting key negotiation being completed between those two PEPs. As a result, this connection-oriented nature of IKE has a few drawbacks.
If the traffic needs to be sent and/or received through multiple paths, as would be the case in a resilient network, there is no single pair of points that can be identified to perform key negotiation and no single PEP that can be selected as the ultimate destination in the IPSec tunnel header.
Finding a Balance Between Data Protection and Access Control
In an enterprise network, data availability enables business productivity. However, the availability of enterprise data requires managing the business risks associated with that availability. Data that is secured, but not available to users is worthless. Data that is accessed by users, but is unsecured is at risk. The challenge is to find the right balance between data protection and data availability.
Generally in an enterprise, different types of data are accessed by different types of users or groups. For example, users of the same business unit or the same organizational group such as engineering or finance might need to access the same data concurrently. Different business units or different organizational groups have different security requirements. Generally, protection of data for a financial or a legal department is somewhat different than data protection for a marketing or engineering department. In addition, some group transactions such as financial transactions might be secure, while other group transactions such as administrative information might be in the clear.
Connectivity in Networks with Complex Boundaries
If organizational flow charts are usually informally or formally known within an enterprise, the various network links that establishes the data communication paths between client users and application data are generally more difficult to establish for network administrators.
Large enterprise networks have more and more complex physical and logical boundaries inside a building or across remote buildings, campuses or countries. Large enterprise networks also have complex physical and logical boundaries between internal, remote and external users of enterprise applications.
Therefore, provisioning any management functions, in particular security functions, that might affect various users of the same group is somewhat challenging. Even if it is easy to identify the members of the group, it is much more difficult to discover their physical communication paths for large scale networks.